octave-bug-tracker
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Octave-bug-tracker] [bug #58268] hdf5 load crashes on strings

From: Christian Häggström
Subject: [Octave-bug-tracker] [bug #58268] hdf5 load crashes on strings
Date: Tue, 28 Apr 2020 17:46:59 -0400 (EDT)
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 
URL:
  <https://savannah.gnu.org/bugs/?58268>

                 Summary: hdf5 load crashes on strings
                 Project: GNU Octave
            Submitted by: saturn
            Submitted on: Tue 28 Apr 2020 11:46:57 PM CEST
                Category: Octave Function
                Severity: 3 - Normal
                Priority: 5 - Normal
              Item Group: Segfault, Bus Error, etc.
                  Status: None
             Assigned to: None
         Originator Name: 
        Originator Email: 
             Open/Closed: Open
                 Release: 5.2.0
         Discussion Lock: Any
        Operating System: GNU/Linux

    _______________________________________________________

Details:

Minimal testcase can be created with this Python snippet, also attached.

python3 -c "import h5py, numpy; f = h5py.File('outfile.hdf5', 'w');
f.create_dataset('scan/date', data=numpy.string_('Mon Jun 18 03:34:30 2018'));
f.close()"



$ octave-cli --version
GNU Octave, version 5.2.0

$ octave-cli --eval "load outfile.hdf5"
free(): invalid next size (fast)
fatal: caught signal Aborted -- stopping myself...
Aborted

$ valgrind octave-cli --eval "load outfile.hdf5"
==238738== Invalid write of size 1
==238738==    at 0x483B114: memcpy@GLIBC_2.2.5 (vg_replace_strmem.c:1034)
==238738==    by 0x715A2CF: H5D__scatter_mem (in
/usr/lib/x86_64-linux-gnu/libhdf5_serial.so.103.2.0)
==238738==    by 0x715A911: H5D__scatgath_read (in
/usr/lib/x86_64-linux-gnu/libhdf5_serial.so.103.2.0)
==238738==    by 0x7142E22: H5D__contig_read (in
/usr/lib/x86_64-linux-gnu/libhdf5_serial.so.103.2.0)
==238738==    by 0x7156755: H5D__read (in
/usr/lib/x86_64-linux-gnu/libhdf5_serial.so.103.2.0)
==238738==    by 0x7156B68: H5Dread (in
/usr/lib/x86_64-linux-gnu/libhdf5_serial.so.103.2.0)
==238738==    by 0x5217072: octave_char_matrix_str::load_hdf5(long, char
const*) (in /usr/lib/x86_64-linux-gnu/liboctinterp.so.7.0.1)
==238738==    by 0x56ACBBB: ??? (in
/usr/lib/x86_64-linux-gnu/liboctinterp.so.7.0.1)
==238738==    by 0x71C44ED: ??? (in
/usr/lib/x86_64-linux-gnu/libhdf5_serial.so.103.2.0)
==238738==    by 0x71CBAC7: H5G__node_iterate (in
/usr/lib/x86_64-linux-gnu/libhdf5_serial.so.103.2.0)
==238738==    by 0x70FEA25: ??? (in
/usr/lib/x86_64-linux-gnu/libhdf5_serial.so.103.2.0)
==238738==    by 0x70FFFA9: H5B_iterate (in
/usr/lib/x86_64-linux-gnu/libhdf5_serial.so.103.2.0)
==238738==  Address 0xd124428 is 0 bytes after a block of size 24 alloc'd
==238738==    at 0x483750F: operator new[](unsigned long)
(vg_replace_malloc.c:433)
==238738==    by 0x521700F: octave_char_matrix_str::load_hdf5(long, char
const*) (in /usr/lib/x86_64-linux-gnu/liboctinterp.so.7.0.1)


It looks to me that octave forgets to allocate space for the trailing NUL
byte. Please observe that this file was not created by Octave itself, but even
if Octave rejects the file it should not crash.



    _______________________________________________________

File Attachments:


-------------------------------------------------------
Date: Tue 28 Apr 2020 11:46:57 PM CEST  Name: outfile.hdf5  Size: 5KiB   By:
saturn

<http://savannah.gnu.org/bugs/download.php?file_id=48962>

    _______________________________________________________

Reply to this item at:

  <https://savannah.gnu.org/bugs/?58268>

_______________________________________________
  Message sent via Savannah
  https://savannah.gnu.org/
reply via email to
[Prev in Thread] Current Thread [Next in Thread]